HP JetDirect Vulnerabilities Discussed

Published: 2013-01-27
Last Updated: 2013-01-27 17:46:36 UTC
by Tony Carothers (Version: 1)
3 comment(s)

On a slow day in the cyber security world here at ISC I wanted to open a discussion of the recent review of vulnerabilities in the HP JetDirect software  by researcher Sebastián Guerrero (English translation is available here).  I have performed audits in highly monitored environments, where change control and secure baselines were the law of the land, and still find known and documented vulnerabilities in the printer environment.  Even in highly developed enterprise security groups the printer firmware is often overlooked because of the ‘low risk’ typically associated with these types of devices..  Many of these devices are ignored in vulnerability scans, monitoring devices, and log collection, which is perfect for avoiding detection.

Bad guys know this.

So where is the danger?  Anybody remember in the late 90’s when printers became rooted file servers sharing music right beneath the noses of administrators everywhere?  The BLUF is that the HP printers today offer network connectivity, computing power and storage, and as such can be targets for exploit.  And once a machine which you own is compromised, then the real work (losses) begin.

What’s the word in your world?  What say you?

tony d0t carothers --gmail

 

Keywords: HP JetDirect
3 comment(s)

Comments

I have a Lexmark C530 printer on my lan, which is ipv4, and the printer still spits out ipv6 packets from time to time, which my NIDS picks up. It also keeps requesting time from a no longer active hard coded time server. Printer firmware probably has unapplied updates, but no more so than wifi routers and access points. The whole arena of single purpose appliances is frequently a vast wasteland of out of date firmware at many sites.
Out of date firmware is usually the problem with Jet Directs. Older firmware versions of Jet Directs offer the capabilities to secure the printer but they usually do not work or render the printer useless. I did notice that newer Jet Directs do walk the talk and do provide more security features that comply with most DoD requirements. Printer security is definitely something that is usually overlooked.
@IA Guy, I appreciate the comment, the printers are walking and talking a lot more. Looking back, the systems we had 20 years ago were just getting legs and a voice, and now we are scrambling to clean up those pieces using painful lessons learned. While printers do not control critical infrastructure, control airplanes, etc., the pattern which leads to the insecurities is similar if not the same.

Diary Archives